Cyber Incident Victim: Training School of the First Scout Ranger Regiment, Philippine Army
Date:
Apr 2019
Location:
Philippines
Summary
A cyber incident targeting the training school of an elite military unit involved unauthorized access to third-party servers hosting non-classified personnel data, reportedly compromising information on 20,000 soldiers. Military investigations confirmed the primary defense network remained secure as a closed system, attributing the breach to external servers undergoing migration to the internal network. Exfiltrated data consisted of registry details already publicly accessible, with no operational or classified material affected. The armed forces addressed the vulnerability through their cybersecurity team, emphasizing ongoing reviews and enhanced protective measures. The Army clarified the leaked files originated from outdated databases being transitioned, noting the timing of the disclosure appeared orchestrated to coincide with a symbolic date.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early April 2019, the Department of National Defense (DND) publicly addressed reports of a cybersecurity breach involving the Training School of the First Scout Ranger Regiment, an elite Philippine Army unit. According to DND spokesperson Arsenio Andolong, approximately 20,000 soldiers' information was stolen during the incident, prompting urgent advisories for the Armed Forces of the Philippines (AFP) to strengthen cyber defenses. Initial AFP investigations revealed the breach occurred during a data migration process from third-party Internet service provider servers to the secure Army network between December 2018 and January 2019. Philippine Army spokesperson Lt. Col. Ramon Zagala clarified that the compromised data originated from exposed dump files of an old database being transferred from external servers, not from the primary Army network. The files contained non-classified information already available in Scout Ranger Training School registry books and public internet sources. Army officials stated they had addressed the vulnerability by January 1, 2019, though the data leak became public months later on April 1, coinciding with the hacker's apparent intent to mark April Fool's Day.
The AFP Computer Emergency Response Team (CERT) under the AFP Cyber Group led containment efforts, confirming the closed AFP Network (AFPNET) remained secure due to its isolation from public internet access. Col. Noel Detoyato, AFP public affairs chief, emphasized operational data remained uncompromised as the breach only affected legacy systems being phased out. Investigations determined the attackers forcibly accessed third-party servers that were in the process of being vacated, with all vulnerable data subsequently migrated to AFPNET. Concurrently, the Philippine Navy had completed a cybersecurity review prior to the incident, while the Philippine Army, Air Force, and AFP general headquarters initiated similar security assessments following the breach. The Army implemented additional stringent security measures and continuous vulnerability assessments to prevent recurrence, maintaining that core military networks retained integrity throughout the incident. No further data exposures or operational impacts were reported following the migration completion and security enhancements.